AWS Identity and Access Management
User Guide

Creating SAML Identity Providers

A SAML 2.0 identity provider is an entity in IAM that describes an identity provider (IdP) service that supports the SAML 2.0 (Security Assertion Markup Language 2.0) standard. You use a SAML identity provider when you want to establish trust between an SAML-compatible IdP such as Shibboleth or Active Directory Federation Services so that users in your organization can access AWS resources. SAML identity providers in IAM are used as principals in an IAM trust policy.

For more information about this scenario, see About SAML 2.0-based Federation.

You can create and manage a SAML identity provider in the AWS Management Console or with AWS CLI, Tools for Windows PowerShell, or AWS API calls.

After you create a SAML provider, you must create one or more IAM roles. A role is an identity in AWS that doesn't have its own credentials (as a user does) but is, in this context, dynamically assigned to a federated user that is authenticated by your organization's identity provider (IdP). The role permits your organization's IdP to request temporary security credentials for access to AWS. The policies assigned to the role determine what the federated users are allowed to do in AWS. To create a role for SAML federation, see Creating a Role for a Third-Party Identity Provider (Federation).

Finally, after you create the role, you complete the SAML trust by configuring your IdP with information about AWS and the role(s) that you want your federated users to use. This is referred to as configuring relying party trust between your IdP and AWS. To configure relying party trust, see Configuring your SAML 2.0 IdP with Relying Party Trust and Adding Claims.

Creating and Managing a SAML Identity Provider (AWS Management Console)

You can use the AWS Management Console to create and delete SAML identity providers.

To create a SAML identity provider

  1. Before you can create a SAML identity provider, you need the SAML metadata document that you get from the IdP that includes the issuer's name, expiration information, and keys that can be used to validate the SAML authentication response (assertions) that are received from the IdP. To generate the metadata document, use the identity management software your organization uses as its IdP. For instructions on how to configure many of the available IdPs to work with AWS, including how to generate the required SAML metadata document, see Integrating Third-Party SAML Solution Providers with AWS.


    The metadata file must be encoded in UTF-8 format without a byte order mark (BOM). Also, the x.509 certificate that is included as part of the SAML metadata document must use a key size of at least 1024 bits. If the key size is smaller, the IdP creation fails with an "Unable to parse metadata" error. To remove the BOM, you can encode the file as UTF-8 using a text editing tool, such as Notepad++.

  2. Sign in to the AWS Management Console and open the IAM console at

  3. In the navigation pane, click Identity Providers and then click Create Provider.

  4. For Provider Type, click Choose a provider type and click SAML.

  5. Type a name for the identity provider.

  6. For Metadata Document, click Choose File, specify the SAML metadata document that you downloaded in Step 1, and click Open. Click Next Step.

  7. Verify the information you have provided, and click Create.

To delete a SAML provider

  1. Sign in to the AWS Management Console and open the IAM console at

  2. In the navigation pane, click Identity Providers.

  3. Select the check box next to the identity provider that you want to delete.

  4. Click Delete Providers.

Managing a SAML Provider (AWS CLI, Tools for Windows PowerShell and AWS API)

Use the following commands to create and manage a SAML provider.

To create an identity provider and upload a metadata document

To upload a new metadata document for an IdP

To get information about a specific provider, such as the ARN, creation date, and expiration

To list information for all IdPs, such as the ARN, creation date, and expiration

To delete an IdP